35-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter3 5 Getting Started with IPS Configuration
Managing User Accounts and Password Requirements
Managing User Accounts and Password Requirements
You can configure user accounts and passwords, and general password requirements, for your IPS
devices. You can configure local users (defined directly on the device), use a RADIUS AAA server, or
use them both in conjunction. The policies used are the AAA, User Accounts, and Password
Requirements policies in the Platform > Device Admin > Device Access folder.
When you create or edit a local user account in Security Manager, the password you enter must satisfy
the requirements defined in the Password Requirements policy. This ensures that new passwords meet
your security requirements.
Tip If you change the password requirements, and then make changes to any local user account, the new
requirements must be met by all user accounts that have passwords managed by Security Manager. This
is because Security Manager reconfigures the passwords for all managed accounts if any single account
needs to be reconfigured.
The User Accounts policy allows you to centrally manage the local user accounts for your IPS devices.
Using a shared policy can help you ensure that all IPS devices contain the same accounts with the same
passwords. However, it is important to understand that passwords are encrypted, so Security Manager
cannot discover the actual passwords defined on the device. Security Manager manages the passwords
for an account only if you define that password in Security Manager. Security Manager does not manage
any user accounts defined in a RADIUS AAA server.
The following topics describe IPS user accounts, and Security Manager discovery and deployment
considerations, in more detail:
Understanding IPS User Roles, page 35-13
Understanding Managed and Unmanaged IPS Passwords, page 35-14
Understanding How IPS Passwords are Discovered and Deployed, page 35-15
Configuring IPS User Accounts, page 35-16
Configuring User Password Requirements, page 35-18
Configuring AAA Access Control for IPS Devices, page35-19

Understanding IPS User Roles

There are four user roles for IPS user accounts:
Trap Community String The community string of the trap. If you do not enter a trap string, the
default trap string defined on the SNMP Trap Communication tab is
used for traps sent to this destination.
Trap Port The port used by the SNMP management station to receive traps. Enter
the port number or the name of a port list object, or click Select to select
the object from a list or to create a new one. The port list object must
identify a single port.
Table35-3 SNMP Trap Communication Dialog Box (Continued)
Element Description